(19) 



J 



(12) 



(43) Date of publication: 

25.06.1997 Bulletin 1997/26 



Europaisches Patentamt 
European Patent Office 
Off ice europ6en des brevets (11) EP 0 781 003 A2 

EUROPEAN PATENT APPLICATION 

(51) lnt.CI. 6 : H04L9/32 



(21) Application number: 96114510.9 

(22) Date of filing : 1 1 .09.1 996 



(84) Designated Contracting States: 

BE CH DE DK ES FR GB IE IT LI NL SE 

(30) Priority: 22.12.1995 US 577922 

(71) Applicant: GENERAL INSTRUMENT 
CORPORATION OF DELAWARE 
Chicago, Illinois 60631 (US) 



(72) Inventors: 

• Sprunk, Eric 

Carlsbad, California 92009 (US) 

• Moroney, Paul 

Olivenhain, California 92024 (US) 

• Candelore, Brant 

San Diego, California 92109 (US) 

(74) Representative: Hoeger, Stellrecht & Partner 
Uhlandstrasse 14 c 
70182 Stuttgart (DE) 



(54) Generation of cryptographic signatures using hash keys 



(57) A method and apparatus are provided for gen- 
erating a digital signature that authenticates information 
of a plurality of different information groups. Information 
from each group is hashed to produce a separate hash 
key for each group authenticating the information in that 
group. Particular combinations of the hash keys are 
hashed together to produce at least one combined hash 
key. Each of the hash keys is ultimately combined in a 
predetermined order with all other hash keys via the 
combined hash keys to produce the digital signature in 



a manner that authenticates the information of all of the 
information groups. The digital signature is reproducible 
without access to all of the information groups authenti- 
cated thereby. Instead, information from a first informa- 
tion group is provided together with a set of hash keys 
and combined hash keys embodying authenticated 
information from the other groups. The hash key for the 
first information group is produced locally and combined 
with the other hash keys and/or combined hash keys in 
order to reproduce the digital signature. 
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Description 

BACKGROUND OF THE INVENTION 

The present invention relates to the generation of 
cryptographic signatures, and more particularly to 
methods and apparatus for generating and recovering 
cryptographic signatures that authenticate information 
from a plurality of different message groups without 
requiring the transmission of all of the authenticated 
information. The invention is applicable to any security 
scheme in which information is authenticated by a sig- 
nature, including telecommunications applications 
wherein controlled access to various signals is required. 
Examples of such telecommunications applications 
include satellite and cable television systems, electronic 
mail systems, personal communicators, - cellular tele- 
phones and the like. Applications outside of the tele- 
communications field include the secure storage and 
retrieval of digital data. 

Although the present invention is described herein 
in connection with a secure broadcasting system for tel- 
evision signals, it is to be understood that the invention 
is applicable to virtually any application in, which a cryp- 
tographic signature is provided from different groups of 
information. The scope of the present invention and 
claims is intended to cover all such applications. 

For purposes of the present disclosure, a secure 
broadcasting system is defined as one in which a large 
number of services (e.g.. television services) are broad- 
cast over a common media to a large number of inde- 
pendent receivers having access to a controlled 
selection of the broadcast services. The individual serv- 
ices may comprise audio, video, data or any combina- 
tion of these. An example of such a system is illustrated 
in Figure 1. 

In the secure broadcasting system of Figure 1, 
input signals are - encoded and transmitted by an 
encoder/transmitter 10 to a plurality of receivers 14, 16, 
18 via a transmission channel. The transmission chan- 
nel can comprise, for example, a satellite transmission 
channel having a satellite 12 which receives signals 
from the encoder/transmitter 10 and distributes them 
using conventional satellite communication techniques 
to the receivers 14, 16 and 18. In a satellite television 
embodiment, the input signals to the encoder/transmit- 
ter 10 will comprise television program signals, access 
control signals and various other data that is to be com- 
municated to the receivers via the satellite distribution 
system. As will be appreciated by those skilled in the 
art, the receivers 14, 16, 18 can comprise any combina- 
tion of commercial receivers and consumer receivers. 
Commercial receivers are those used by service provid- 
ers, such as cable television operators, to receive sig- 
nals from the satellite and redistribute them over a 
network such as a cable television system, typically for 
a fee. Consumer receivers are those found in the homes 
or offices of end users that receive the services, also 
typically for a fee. 



Each data stream communicated over the secure 
broadcasting system has associated with it certain 
access requirements. Each receiver contains a decoder 
that has a set of authorization rights used to determine 

5 which data streams the receiver is entitled to access. 
The authorization rights of any decoder can be changed 
at any time by an encrypted message communicated 
over the system. Furthermore, by means of tiers which 
denote access requirements, the access requirements 

w for each data stream may be changed by a new 
encrypted message. For each particular data stream, 
the encrypted message used to change the access 
requirements can also define the length of time that the 
access requirements exist. 

75 Different programs or broadcast events available 
via the broadcasting system can be grouped together to 
form a service. A service must identify which authoriza- 
tion rights are required by a decoder to receive that 
service. A service may have one or more alternative 

20 access requirements. The service specifies a list of dif- 
ferent access requirements, at least one of which must 
be valid for a specific decoder to access a specific serv- 
ice. The decoder determines validity by referencing its 
specified list of authorization rights. The term "tier" is 

25 used to generically denote either a specific access 
requirement or authorization right, depending on con- 
text. 

A multitude of different access requirements for 
numerous different services are possible, and these 

30 correspond to a multiplicity of possible authorization 
rights held in decoders. These can be managed by the 
decoders through the use of an authorization rights vec- 
tor. For example, the position of a bit within an authori- 
zation rights vector can identify a specific tier 

35 corresponding to a specific access requirement. The 
value of that bit determines whether or not the decoder 
has authorization rights to decode that particular serv- 
ice. 

A set of authorization right and access requirement 

40 definitions comprises a group of information sometimes 
referred to as a "category.** Each different category can 
be labeled with a unique category number. As indicated 
above, access requirements for any service can be 
changed at any time by an encrypted message. In a 

45 practical implementation, multiple categories with inde- 
pendent sets of access requirements and correspond- 
ing authorization right definitions are simultaneously 
supported for a single service. These multi -category 
access requirements must be defined as a set for all 

so decoders that might access that service, yet, each cate- 
gory generally receives a single message specific 
thereto. Decoders assigned to that category only 
receive messages addressed to that category, and not 
the messages addressed to other categories with other 

55 sets of access requirement and authorization right defi- 
nitions. 

The messages sent to each category' s decoders 
define the access requirements for that category. These 
access requirements must be delivered in a secure 
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manner to prevent unauthorized reassignment of 
access requirements. In the past, such messages have 
been delivered encrypted by a secure key ("secret key") 
within the decoder. However, possession of the secure 
key would be sufficient to alter a message outside the 5 
decoder. A more secure scheme robust to attacks using 
this secure key is required. 

By means of a key hierarchy, in which a plurality of 
different keys is used to securely communicate mes- 
sages, delivery of different sets of access requirements 10 
for different categories can be combined cryptographi- 
cally. In such a scheme, the keys that decipher the 
access requirement message must be'delivered to each 
decoder independently through a secure message. The 
cryptographic combination of the access requirements 15 
for different categories is accomplished by a technique 
known as "hashing." In this process, all secure data 
from the message is cryptographically processed using 
a secure key to produce a shorter data block which is 
cryptographically dependent on both the secret key 20 
needed to decipher the access requirement message 
and the data contained in that message. 

If the result of the hashing operation is used as a 
key in subsequent processing in the key hierarchy, then 
any external data tampering on the access require- 25 
ments message will destroy the subsequent key hierar- 
chy recovered by the decoder. Furthermore, if the 
hashing operation is performed in a secure area such 
as inside a secure processing component, security can 
be maintained even if the hashing key is known. More 30 
particularly, it would be computationally infeasible to 
tamper with the data outside of the secure area without 
altering the recovered hashing key. 

One key used in securing satellite television broad- 
casts is known as a program key. A program key is 35 
associated with a given service for a particular period of 
time, on the order of hours. An access requirement 
match with an authorization right held by a decoder is 
required in addition to the program key for a decoder to 
gain access to the service. 40 

Another key used in the key hierarchy of prior art 
satellite television systems is the "category key." All 
decoders in the same category share the same cate- 
gory key. The category key is changed on a periodic 
basis, such as monthly. A Category key is used to 45 
secure a single category, which in turn defines a single 
set of access requirements and authorization rights def- 
initions. 

In the satellite television example, the program key 
authenticates various category information. In this con- so 
text "authentication" refers to securing confidence that 
information has not been altered or replaced by some 
illicit party between the transmitter and the decoder. 
Most specifically, it is paramount to authenticate the 
access requirements, since a natural illicit manipulation 55 
is to reassign the access requirements of a service to 
match an authorization right held in a decoder that 
wishes to decode that service without authorization. In 
the past, the authentication has been provided using a 



linear hashing scheme as illustrated in Figure 2. In this 
case, the term linear does not refer to the cryptographic 
or computational complexity definitions of the term, but 
instead refers to the topological or graphical processing 
of information as shown in the figure. In the linear hash- 
ing scheme shown in the figure, the category key is 
input to a decryption processor 24 via line 20. The cryp- 
tographic processor can comprise, for example, a data 
encryption standard (DES) function as well known in the 
art. The cryptographic processor generates an initializa- 
tion vector or "IV" from the encrypted IV ("EIV") input via 
line 22. 

It should be appreciated that although Figure 2 
illustrates the linear hashing provided at a decoder, the 
same hashing would be implemented at the encoder, in 
which case the derived program key would be identical, 
as is necessary. 

The IV output from the cryptographic processor is 
input to a first hash function 30 that receives a block N 
of data to be authenticated. The resultant hashed output 
from hashing function 30 is dependent upon both the IV 
and the block of data, and is input to another hashing 
function 32 that receives another block of authentication 
data N-1. The process continues along a linear hashing 
chain generally designated 35 until a first block of the 
data to be authenticated is hashed by a hashing func- 
tion 34 to provide an output for Category A. 
Since all three Categories in the figure allow access to 
the same service, Category A, B, and C information 
must be authenticated or hashed together. The result 
from Category A is therefore passed on to be hashed 
with Category B in a similar fashion generally desig- 
nated 25. The result from Category B, which is depend- 
ent upon Category A at that point, is passed on for 
hashing with Category C information as generally des- 
ignated by reference numeral 26. The result of the Cat- 
egory C hashing is therefore dependent upon the 
authenticated information of all three Categories, and 
comprises the actual Program Key. 

As is evident from Figure 2, the authentication data 
resulting from the hashing is derived from information 
taken from all categories in the chain. This traditional 
approach to hashing, using a linear chain of Categories 
A, B, and C ( becomes very computationally intensive 
and time consuming as the number of blocks and Cate- 
gories to be authenticated increases. This is a particular 
problem in a communication network where a large 
number of categories exist, demanding a large volume 
of data to be hashed by each Category to derive the 
Program Key common to all Categories. Each Category 
is burdened by the hashing necessary for all Categories 
with potential access to that service. Another burden 
comes from the need for each Category to possess air 
of the blocks to authenticate for all categories, which 
may mean decoder delays in acquiring messages for all 
categories, or wasted bandwidth due to duplicate trans- 
mission of information for multiple categories. 

It would be advantageous to provide a more effi- 
cient hashing and authentication scheme, wherein each 
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category is minimally burdened by the hashing of infor- 
mation blocks for other categories, and each category 
need only receive message information for itself, i.e., 
without including message information for the other cat- 
egories. Such an apparatus and method should pro- 5 
duce a cryptographic signature (e.g., a program key or 
the like) that authenticates all of the same information 
authenticated by the prior art linear hashing scheme, 
without the disadvantages of the linear hashing proc- 
ess, to 

The present invention provides a method and appa- 
ratus having the aforementioned and other advantages. 

SUMMARY OF THE INVENTION 

15 

In accordance with the present invention, a method 
is provided for generating a digital signature that 
authenticates information of a plurality of different infor- 
mation groups. Information from each of the groups is 
hashed to produce a separate hash key for each group. 20 
Each hash key authenticates the information in its 
respective group. Particular combinations of the hash 
keys are then hashed together to produce at least one 
combined hash key. The digital signature is derived 
from (e.g., equal to or produced from) at least one com- 25 
bined hash key. The digital signature can be used, for 
example, as a program key in a subscription television 
access control system. The signature can also be used 
for any other purpose in which authenticated informa- 
tion is required for data security purposes. 30 

The hashing step can comprise, for example, a bi- 
directional cryptographic process. It could alternatively 
comprise a trapdoor one way function. 

The hash keys and combined hash keys can be 
hashed together according to any desired structure. For 35 
example, a binary tree structure may be used to mini- 
mize the number of computations that need to be made 
for each category to derive the Program Key common to 
all categories. In most implementations, the digital sig- 
nature will be produced by hashing at least two com- 40 
bined hash keys together. At least one combined hash 
key may also be hashed with at least one hash key in 
order to produce the digital signature. Most implementa- 
tions will probably hash a plurality of hash keys and 
combined hash keys together in a predetermined order 45 
in order to produce the digital signature. 

Each of the hash keys is ultimately combined in a 
predetermined order with all of the other hash keys via 
the combined hash keys, thereby producing the digital 
signature in a manner that authenticates the information so 
of alt of the information groups. The predetermined 
order can be established by a network structure in 
which different hash keys and combined hash keys are 
input to various nodes of the network to affect the hash- 
ing steps. As noted above, the network structure can ss 
comprise a binary tree. 

The hash key for each group can be produced by 
hashing the information from that group with a corre- 
sponding initialization vector for the group. In an illus- 



trated embodiment, the digital signature is used as a 
cryptographic key in controlling access to a service 
communicated to a receiver. 

A method is provided for recovering the crypto- 
graphic key for use in accessing the service at the 
receiver. This recovering method comprises the steps of 
communicating a first information group authenticated 
by the cryptographic key to the receiver. The first infor- 
mation group is then hashed with its corresponding ini- 
tialization vector to obtain the hash key for that 
information group. Also communicated to the receiver 
are all of the hash keys and combined hash keys used 
in producing the cryptographic hash keys that do not 
authenticate the first information group and which are 
required by the receiver to recover the cryptographic 
key. The hash keys and combined hash keys communi- 
cated to the receiver as well as the hash key obtained 
for the first information group are hashed in accordance 
with the predetermined order, to reproduce the crypto- 
graphic key. 

The hash keys and combined hash keys may be 
encrypted prior to communicating them to the receiver. 
For example, the hash keys and combined hash keys 
communicated to the receiver can be encrypted under 
at least one of a hash key and combined hash key deriv- 
able at the receiver, or by some other encryption key 
delivered to the receiver by a known mechanism. 

A method is provided for reproducing the digital sig- 
nature without access to all of the information groups 
authenticated therewith. In order to achieve this result, 
the authenticated information from at least one desired 
information group authenticated by the digital signature 
is obtained. The obtained information is hashed to 
reproduce the hash key for the desired information 
group. A collection of hash keys and combined hash 
keys is received. This collection of keys comprises 
those that are necessary to reproduce the digital signa- 
ture in lieu of the actual information from which the hash 
keys and combined hash keys in the collection were 
produced. The reproduced hash key for the desired 
information group is hashed with the collection of 
hashed keys and combined hash keys in accordance 
with the predetermined order to reproduce the digital 
signature. 

The predetermined order referred to can comprise 
a tree structure having branches into which hash keys 
and combined hash keys are input for hashing. The tree 
structure has a root from which the digital signature is 
output. Advantageously, the information groups can be 
prioritized in the tree structure by assigning the hash 
keys of those that are to be recovered with the least 
computation to branches nearest the root. The hash 
keys of the information groups that justify progressively 
more computation for recovery are assigned to 
branches that are progressively further from the root. 

The information groups can provide information for 
controlling access to services provided on a communi- 
cation network. In such an embodiment, the hash keys 
of information groups to be processed at an end user 
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location in order to receive a service can be assigned to 
branches close to the root of the tree structure. Hash 
keys of information groups to be processed upstream of 
the end user location (e.g., at a satellite uplink or cable 
television headend) are assigned to branches further 
away from the root. In a more generalized embodiment 
that avoids frequent recalculation of hash keys for por- 
tions of the network, the hash keys of information 
groups that are likely to be modified more frequently are 
allocated to lower branches of the tree structure than 
the hash keys of information groups that are likely to be 
modified less frequently. The lower branches are closer 
to the root than higher branches of the tree structure. 

Receiver apparatus is provided for recovering a dig- 
ital signature that authenticates information from a plu- 
rality of information groups, without requiring the 
authenticated information from all of the information 
groups. The receiver apparatus comprises means for 
receiving the information for at least one of the informa- 
tion groups. The received information is hashed to gen- 
erate at least one first hash key internal to a physically 
secure receiver. Means are provided for receiving at 
least one externally produced additional hash key used 
to authenticate information from at least one of the infor- 
mation groups that is not received by the receiver appa- 
ratus. Means are provided for combining the at least 
one first hash key with the at least one additional hash 
key according to a sequence from which the digital sig- 
nature is produced. The combining means produce the 
digital signature. 

In one embodiment, the digital signature is a cryp- 
tographic key used to encrypt a service communicated 
to the receiver apparatus. The at least one externally 
produced hash key can be received in an encrypted 
manner. In this case, the receiver apparatus will further 
comprise means for decrypting the additional hash key 
prior to combining it with the at least one first hash key. 

The combining means of the receiver apparatus 
can comprise hash functions for combining the first and 
additional hash keys. In one embodiment, the receiver 
apparatus comprises a decoder for pay television sig- 
nals. 

BRIEF DESCRIPTION OF THE DRAWINGS 

Figure 1 is a diagrammatic illustration of a secure 
satellite broadcasting system; 
Figure 2 is a block diagram of a prior art linear chain 
hashing scheme; 

Figure 3 is a block diagram of a hashing scheme in 
accordance with the present invention using a 
binary tree structure; and 

Figure 4 is a block diagram illustrating a double 
feedforward hash function. 

DETAILED DESCRIPTION OF THE INVENTION 

As described above, Figure 1 illustrates a satellite 
communication system wherein input signals are 



encrypted and transmitted by a encoder/transmitter 10 
to a satellite 1 2, for distribution to a plurality of receivers 
14, 16 and 18. Each receiver has a subset of various 
authorization rights taken from the set of rights SO, S1, 

5 S2, S3, S4, ... SN. The authorization rights enable dif- 
ferent receivers to access different information signals 
(e.g., television programs) distributed by satellite 1 2. 

The present invention, which overcomes the com- 
putational complexity required with the prior art linear 

w hashing scheme of Figure 2, is illustrated in Figure 3. It 
should be appreciated that the particular embodiment 
illustrated in Figure 3 is an example only. In particular, 
Figure 3 illustrates a simple binary tree chaining imple- 
mentation in which information from three different infor- 

15 mation groups or categories (Group A, Group B and 
Group C) is authenticated by a digital signature. Other 
structures, such as higher order tree structures and 
other network structures can also be implemented in 
accordance with the invention. Typically, actual imple- 

20 mentations will have many more branches and nodes 
than the example illustrated in Figure 3. 

Like linear chaining, the network structure of the 
present invention also links together all information from 
all blocks to be authenticated. The difference is that the 

25 linkage, instead of processing the messages for all 
Groups or categories in a straight line from beginning to 
end, combines pairs of data blocks or hash keys in a 
predetermined order. For example, in the example 
structure illustrated in Figure 3, pairs of information 

30 groups are combined in a binary tree. 

The information from each group to be authenti- 
cated can be broken into blocks. For example, for the 
Group A information processed by the branch generally 
designated 41 , the information to be authenticated is 

35 presented in two blocks, authentication block 1 and 
authentication block 2. Authentication block 1 is hashed 
by hash function 42a and authentication block 2 is 
hashed by hash function 40a. Hash function 40a 
receives a cryptographic key (IV) from a cryptographic 

40 processor 38a that can comprise, for example, a well 
known DES function. The cryptographic processor 
receives an initialization vector (IV) and a unique key for 
information Group A in order to produce an encrypted 
(or decrypted or hashed) initialization vector for use as 

45 an input to hash function 40a. 

Hash function 40a hashes the input received from 
cryptographic processor 38a with authentication block 2 
of the information to be authenticated. The output is 
used as an input to hash function 42a. This hash func- 

so tion hashes the input received from hash function 40a 
with authentication block 1 of the information to be 
authenticated. The result is a hash key HK(A) for branch 
41 that is input to another hash function 50. It is noted 
that although two hash functions 40a and 42a are illus- 

55 trated, any number of hash functions can be provided 
depending on how many blocks the information of 
Group A is broken into for authentication. If the informa- 
tion to be authenticated is not broken into multiple 
blocks, then only one hash function would be provided 
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in branch 41. 

Hash function 50 receives a hash key from inde- 
pendent branch 43 in addition to the hash key,received 
from branch 41 of the binary tree structure. Branch 43 
produces its hash key HK(B) in the same manner that s 
the hash key from branch 41 was produced. In particu- 
lar, cryptographic processor 38b outputs to a first hash 
function 40b, which in turn outputs to a second hash 
function 42b for production of the branch 43 hash key. 

It is noted that although branches 41 and 43 (as w 
well as branch 45) are all shown in Figure 3 as having 
the same structure, this is not required. Each independ- . 
ent branch can have any number of other branches 
feeding into it. Further, the particular hashing scheme 
used in each branch can be different. Thus, Figure 3 is 
illustrates a simplified binary tree structure for purposes 
of explaining the present invention. In practice, it is likely 
that much more complicated tree and network struc- 
tures will be used, having many branches which ulti- 
mately flow to a single root for production of a digital 20 
signature. 

Hash function 50 hashes the hash keys of branches 
41 and 43 to produce a combined hash key HK(AB) for 
output to another hash function 52. The combined key 
output from hash function 50 is hashed with the hash 25 
key HK(C) output from branch 45 in order to produce the 
ultimate digital signature that authenticates all of the 
hashed information from Groups A, B and C. In Figure 
3, branch 45 is illustrated as being identical to branches 
41 and 43. As explained above, however, this is for pur- 30 
poses of illustration only, and each branch may be 
entirely different. In- branch 45 as illustrated, crypto- 
graphic processor 38c outputs to hash function 40c, 
which in turn outputs to hash function 42c for production 
of the ultimate hash key for the branch. 35 

The operation of Figure 3 described above corre- 
sponds to the processing that takes place when the 
access requirement messages for all three categories 
A, B, and C are created. As should be appreciated, the 
digital signature output from hash function 52 autherrti- 40 
cates all of the Group A, Group B and Group C informa- 
tion. This is due to the fact that the hash key output from 
branch 41 authenticates all of the information from 
authentication blocks 1 and 2 of Group A; the hash key 
output from branch 43 authenticates all of the informa- 45 
tion from authentication blocks 1 and 2 of Group B; and 
the hash key provided by branch 45 authenticates all of 
the information from authentication blocks 1 and 2 of 
Group C. Thus, the combined hash key HK(AB) output 
from hash function 50 authenticates all of the informa- so 
tion from Groups A and B. When this combined hash 
key is hashed with the hash key HK(C) provided by 
branch 45 (which authenticates the Group C informa- 
tion), the result is a digital signature HK(ABC) authenti- 
cating the information processed by all three branches. 55 

The hash functions can comprise, for example, a bi- 
directional cryptographic process. Alternatively, they 
can comprise a trapdoor one way function. Such a trap- 
door one way function can be defined as follows: 



Let a function be described by the equation 
c = f(p,ke, kd) . (C could be ciphertext, p plaintext, ke 
the encrypt key and Kd the decrypt key). A trapdoor one 
way function (TDOWF) is one where: 

• 1) given p and ke it is easy to calculate c; 

2) given p and kd it is computationally infeasible to 
calculate c; 

3) given c and kd it is easy to calculate p; 

4) given p and kd it is computationally infeasible to 
calculate c; 

5) given p and c and ke it is computationally infeasi- 
ble to calculate kd; and 

6) given p and c and kd it is computationally infeasi- 
ble to calculate ke. 

The values ke and kd are trapdoor values relative to 
each other, since only with them can certain calcu- 
lations be done easily. 

It should be appreciated that encoders or 
encrypters and decoders or decrypters must both pos- 
sess the same cryptographic key to work together. The 
encoder uses this key to encrypt information, and the 
decoder uses it to decrypt this same information. Both 
encoder and decoder could therefore perform identical 
hash processing steps to derive the same key, meaning 
that they could be in the same Group A, B, or C. Alter- 
natively, the encoder could be in one Group such as A, 
and the decoder in another Group B or C. The encoder 
and decoder would perform different processing steps 
to derive the resultant digital signature, but said signa- 
ture would be the same for both. 

The hash processing for all three categories A, B, 
and C must be performed when the messages for A, B, 
and C are created. Both encoder and decoder receive 
at least one of these messages to enable derivation of 
the common digital signature. For encoders and decod- 
ers, as opposed to the element that created the mes- 
sages for the encoders and decoders, the processing is 
greatly simplified. The decoder will be discussed here, 
though it should be appreciated that the encoder func- 
tions similarly. 

Each decoder is only required to recover informa- 
tion from some (e.g., one) of the groups. For example, 
the function of one particular decoder may be to decrypt 
received signals on the basis of access control informa- 
tion provided by Group A. In this instance, the Group A 
information ,will be provided to the decoder (either by 
transmission thereto, by prior storage therein, or by 
means of a removable data carrier or the like), but the 
Group B and Group C information will not be provided. 
Using the Group A information, the decoder will repro- 
duce the Group A hash key using the same functions 
provided by branch 41 at the encoder. In particular, a 
cryptographic processor 38a will receive the initializa- 
tion vector in order to provide one input required by 
hash function 40a. Authentication block 2 of the Group 
A information will be the other input to hash function 40a 
together with the key from cryptographic processor 38a 
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in order to produce the input required by hash function 
42a. This hash function receives authentication block 1 
of the Group A information, hashes it with the key output 
from hash function 40a, and produces the branch 41 
hash key HK(A) pertaining to the Group A information. 

In addition to being provided with the actual Group 
A information, the decoder will also receive the hash 
keys and hash key combinations necessary to produce 
the digital signature. Thus, in addition to producing the 
hash key for branch 41 as described above, the decoder 
will receive the Group B hash key HK(B) and the Group 
C hash key HK(C) directly, without having to compute 
these keys. 

In order to securely transmit the hash keys from the 
other branches to the decoder, these hash keys are 
encrypted. Thus, as shown in Figure 3, a cryptographic 
processor 44a is provided for encrypting the hash key 
produced by branch 43 (HK(B)) under the IV produced 
by Group A cryptographic processor 38a. Similarly, a 
cryptographic processor 46a is provided for encrypting 
the hash key produced by branch 45 (HK(C)) under the 
IV produced by Group A cryptographic processor 38a. 
The decoder associated with Group A will include cryp- 
tographic processors corresponding to processors 44a 
and 46a to decrypt the received, encrypted hash keys 
HK(B)' and HK(C)\ 

After decrypting hash keys HK(B) and HK(C), these 
keys will be used to recover the digital signature. More 
particularly, HK(B) will be hashed with the HK(A) pro- 
duced at the decoder using hash function 50 to provide 
the combined hash key HK(AB). This combined hash 
key is input to hash function 52 together with received 
and decrypted hash key HK(C) to produce the digital 
signature. 

For decoders (or encoders) associated with the 
Group B information, the hash key HK(B) will be pro- 
duced locally. Hash keys HK(A) and HK(C) will be pro- 
vided to the decoder in the access requirements 
message with authentication blocks 1 and 2 ( so that 
these hash keys do not have to be recreated at the 
decoder. Cryptographic processors 44b and 46b are 
provided to decrypt the hash keys from branches 41 
and 45 at the decoder, since they are sent in an 
encrypted form. 

For decoders (or encoders) associated with the 
Group C information, the hash key HK(C) will be derived 
locally using functions equivalent to cryptographic proc- 
essor 38c, 40c and 42c. For the example illustrated in 
Figure 3, only one additional key needs to be delivered 
to the decoder; namely, combined hash key HK(AB). As 
can be seen from Figure 3, once the decoder for the 
Group C has locally derived hash key HK(C), all that is 
necessary to reproduce the digital signature using hash 
function 52 is the combined hash key HK(AB). 

As illustrated by Figure 3, the chaining methodol- 
ogy of the present invention saves substantial computa- 
tion at the decoder or encoder when compared to the 
prior art linear hashing technique illustrated in Figure 2. 
Instead of requiring all of the actual information authen- 



ticated by the digital signature as required in the prior 
art, the present invention only requires the information 
corresponding to the particular decoder or encoder to 
be delivered, together with the encrypted and already 

5 computed hash keys and hash key combinations for 
other branches of the hashing structure. In the event 
that information in one of the groups has changed, the 
decoder will only need to receive the hash key (or com- 
bined hash key(s)) associated with the changed infor- 

10 mation group and those hash keys closer to the root of 
the network structure. This represents a vast improve- 
ment over the prior art, in which a change of information 
in one group impacted all subsequent groups along the 
chain. 

is Any cryptographically secure hash function(s) can 
be used to implement the present invention. As will be 
appreciated by those skilled in the art, some hash func- 
tions will be preferable over others due to their crypto- 
graphic integrity. An example of one hash function that 

20 can be used in accordance with the invention is the dou- 
ble feedforward (DFFH) hash function of Figure 4. 

In the DFFH function illustrated, plaintext is input 
via terminal 60 to a cryptographic processor (e.g., DES 
processor) 70. The plaintext is also fed forward to an 

25 exclusive OR gate (XOR) 80 via line 74. Processor 70 
receives an input key via terminal 62. The input key is 
also fed forward via line 72 to an exclusive OR gate 82. 
Gate 80 exclusive OR 's the cipher text output from proc- 
essor 70 with the plaintext. The result is exclusively 

30 ORd with the input key in gate 82, to provide the 
hashed output. If desired, the DFFH stage of Figure 4 
can be cascaded with other similar stages, as well 
known in the art. 

When designing the network or tree structure over 

35 which the hash keys are computed, various steps can 
be taken to optimize the decoding process. For exam- 
ple, end user decoders (as opposed to commercial 
decoders) are generally relatively low cost products 
having a limited amount of computational power. There- 

40 fore, in order to reduce signal acquisition times at the 
end user decoders, it will be advantageous to assign 
hash keys of information groups to be processed by 
such decoders to branches of the tree or network struc- 
ture closest to the root. The hash keys of information 

45 groups to be processed upstream of the end user loca- 
tion (e.g., by commercial decoders at a satellite uplink 
or cable television headend) are advantageously 
assigned to branches further away from the root. 

Similarly, for information groups that are likely to be 

so modified more frequently, it is advantageous to assign 
their hash keys to lower branches of the tree or network 
structure. This implies that the hash keys of information 
groups that are likely to be modified less frequently are 
assigned to higher branches on the tree or network 

55 structure. As a result, information groups that are likely 
to be frequently modified will not require the need for as 
much recomputation along the tree or network structure 
as information groups that are less likely to be modified. 
Other considerations may lead to other optimization 
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techniques for the network or tree structure. These 
include both balanced and unbalanced trees. At the 
present time, it is believed that a binary tree structure is 
optimal for use in providing access control to satellite 
television signals. In a binary tree structure, two 
branches are provided per node. The goal is to reduce 
processing time and maximize the number of data 
blocks that can be authenticated. 

It should now be appreciated that the present inven- 
tion provides a method and apparatus for generating 
and recovering digital signatures which authenticate 
information of a plurality of different information groups. 
Information from each group is hashed to provide a 
hash key for the group, and combinations of the hash 
keys are hashed in a predetermined order in order to 
ultimately provide a common digital signature. The dig- 
ital signature can be reproduced at a decoder without 
access to all of the information groups authenticated 
thereby. This is accomplished by providing the authenti- 
cated information from at least one of the groups asso- 
ciated with the decoder to locally derive the hash key(s) 
for the associated group(s). Instead of locally deriving 
the hash keys and/or hash key combinations associated 
with other information groups, these items are delivered 
to the decoder from the encoder in an encrypted man- 
ner. 

Although the invention has been described in con- 
nection with a specific exemplary embodiment, it should 
be appreciated that numerous adaptations and modifi- 
cations may be made thereto, without departing from 
the spirit and scope of the invention as set forth in the 
claims. 

Claims 

1. A method for generating a digital signature that 
authenticates information of a plurality of different 
information groups, comprising the steps of: 

hashing information from each of said groups 
to produce a separate hash key for each group, 
each hash key authenticating the information in 
its respective group; 

hashing combinations of said hash keys 
together to produce at least one combined 
hash key; and 

deriving said digital signature from said at least 
one combined hash key. 

2. A method in accordance with claim 1 wherein said 
hashing step comprises a bi-directional crypto- 
graphic process. 

3. A method in accordance with claim 1 wherein said 
hashing step comprises a trapdoor one way func- 
tion. 

4. A method in accordance with one of claims 1 to 3 
wherein said digital signature is produced by hash- 
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ing at least two combined hash keys together. 

5. A method in accordance with one of claims 1 to 3 
wherein said digital signature is produced by hash- 

s ing at least one combined hash key with at least 
one hash key. 

6. A method in accordance with claim 5 wherein a plu- 
rality of hash keys and combined hash keys are 

io hashed together in a predetermined order to pro- 
duce said digital signature. 

7. A method in accordance with one of claims 1 to 3 
wherein each of said hash keys is ultimately com- 

15 bined in a predetermined order with all other hash 
keys via said combined hash keys, thereby produc- 
ing said digital signature in a manner that authenti- 
cates the information of said information groups. 

20 8. A method in accordance with one of claims 1 to 7 
wherein said digital signature is used as a crypto- 
graphic key in controlling access to a service com- 
municated to a receiver. 

25 9. A method in accordance with one of claims 1 to 8 
wherein said hash keys are produced by authenti- 
cating information of different information groups. 

10. A method in accordance with Claim 9 wherein said 
30 digital signature is used to determine whether or 

not information in any of the different information 
groups has changed. 

11. A method for recovering the digital signature of 
35 claim 7 for use in accessing a service at a receiver, 

comprising the steps of: 

hashing a first information group at said 
receiver to obtain the hash key for that group; 
40 communicating to said receiver all other hash 

keys and combined hash keys used in produc- 
ing said digital signature which are required by 
said receiver to recover said digital signature; 
and 

45 hashing the hash keys and combined hash 

keys communicated to the receiver as well as 
the hash key obtained for the first information 
group, all in accordance with said predeter- 
mined order, to reproduce said digital signa- 

so ture. 

12. A method in accordance with claim 11 comprising 
the further step of encrypting said hash keys and 
combined hash keys prior to communicating them 

55 to said receiver. 

1 3. A method in accordance with claim 1 2 wherein said 
hash keys and combined hash keys communicated 
to said receiver are encrypted under at least one of 
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a hash key and combined hash key derivable at 
said receiver. 

14. A method for reproducing the digital signature of 
claim 7 without access to all of the information s 
groups authenticated thereby, comprising the steps 

of: 

obtaining the authenticated information from at 

least one desired information group authenti- io 

cated by said digital signature; 

hashing the obtained information to reproduce 

the hash key for said desired information 

group; 

receiving a collection of hash keys and com- 15 
bined hash keys which are necessary to repro- 
duce said digital signature in lieu of the actual 
information from which the hash keys and com- 
bined hash keys in said collection were pro- 
duced; and 20 
hashing the reproduced hash key for said 
desired information group with said collection 
of hash keys and combined hash keys in 
accordance with said predetermined order to 
reproduce said digital signature. 25 

15. A method in accordance with claim 14 wherein: 

said predetermined order comprises a tree 
structure having branches into which hash keys 30 
and combined hash keys are input for hashing 
and having a root from which said digital signa- 
ture is output; and 

said information groups are prioritized in said 
tree structure by assigning the hash keys of 35 
those that are to be recovered with the least 
computation to branches nearest said root and 
assigning the hash keys of those that justify 
progressively more computation for recovery to 
branches that are progressively further from 40 
said root. 

16. A method in accordance with claim 15 wherein: 

said information groups provide information for 45 
controlling access to services provided on a 
communication network; and 
the hash keys of information groups to be proc- 
essed at an end user location in . order to 
receive a service are assigned to branches so 
close to said root, whereas the hash keys of 
information groups to be processed upstream 
of said end user location are assigned to 
. branches further away from said root. 

55 

17. A method in accordance with claim 15 or 16 
wherein the hash keys of information groups that 
are likely to be modified more frequently are allo- 
cated to lower branches of said tree structure than 
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the hash keys of information groups that are likely 
to be modified less frequently, said lower branches 
being closer to said root than higher branches of 
said tree structure. 

18. A method in accordance with one of claims 1 to 3 
wherein each of said hash keys is ultimately com- 
bined in a predetermined order established by a 
network structure with all other hash keys via said 
combined hash keys, thereby producing said digital 
signature in a manner that authenticates the infor- 
mation of all of said information groups. 

1 9. A method in accordance with claim 1 8 wherein said 
network structure comprises a binary tree. 

20. Receiver apparatus for recovering a digital signa- 
ture that authenticates information from a plurality 
of information groups, without requiring the authen- 
ticated information from all of said information 
groups, said apparatus comprising: 

means for receiving the information from at 
least one of said information groups; 
means for hashing the received information to 
internally generate at least one first hash key; 
means for receiving at least one externally pro- 
duced additional hash key used to authenticate 
information from at least one of said informa- 
tion groups that is not received by said appara- 
tus; and 

means for combining said at least one first 
hash key with said at least one additional hash 
key according to a sequence from which said 
digital signature was produced; 

said combining means producing said digital 
signature. 

21. Apparatus in accordance with claim 20 wherein 
said digital signature is a cryptographic key used to 
encrypt a service communicated to said receiver 
apparatus. 

22. Apparatus in accordance with claim 20 or 21 
wherein said at least one externally produced addi- 
tional hash key is received encrypted, said appara- 
tus further comprising means for decrypting said 
additional hash key prior to combining it with said at 
least one first hash key. 

23. Apparatus in accordance with one of claims 20 to 
22 wherein said combining means comprise hash 
functions for combining said first and additional 
hash keys. 

24. Apparatus in accordance with claim 21 wherein 
said receiver apparatus comprises a decoder for 
pay television signals. 
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25. Receiver apparatus for recovering a previously pro- 
duced digital signature from a plurality of hash keys, 
said apparatus comprising: 

means for internally generating at least one s 
first hash key; 

means for receiving at least one externally pro- 
duced additional hash key; and 
means for combining said at least one first 
hash key with said at least one additional hash 10 
key according to a sequence from which said 
digital signature was previously produced; 

said combining means recovering said dig- 
ital signature. 75 
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